Testing Your Configuration

This section describes how to test connectivity for the single mode ASA or for each security context, how to ping the ASA interfaces, and how to allow hosts on one interface to ping through to hosts on another interface.

Note Although this procedure uses IP addresses, the ping command also supports DNS names and names that are assigned to a local IP address with the name command.

The diagram should also include any directly connected routers and a host on the other side of the router from which you will ping the ASA. (See Figure 1-1.)

Figure 1-1 Network Diagram with Interfaces, Routers, and Hosts

Step 2 Ping each ASA interface from the
directly connected
routers. For transparent mode, ping the management IP address. This test ensures that the ASA interfaces are active and that the interface configuration is correct.

A ping might fail if the ASA interface is not active, the interface configuration is incorrect, or if a switch between the ASA and a router is down (see Figure 1-2). In this case, no debugging messages or syslog messages appear, because the packet never reaches the ASA.

Figure 1-2 Ping Failure at the ASA Interface

If the ping reaches the ASA, and it responds, debugging messages similar to the following appear:

ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2

ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1

If the ping reply does not return to the router, then a switch loop or redundant IP addresses may exist (see Figure 1-3).

Figure 1-3 Ping Failure Because of IP Addressing Problems

Step 3 Ping each ASA interface from a remote host. For transparent mode, ping the management IP address. This test checks whether the directly connected router can route the packet between the host and the ASA, and whether the ASA can correctly route the packet back to the host.

A ping might fail if the ASA does not have a return route to the host through the intermediate router (see Figure 1-4). In this case, the debugging messages show that the ping was successful, but syslog message 110001 appears, indicating a routing failure has occurred.

Figure 1-4 Ping Failure Because the ASA Has No Return Route

Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping

The Ping tool is useful for verifying the configuration and operation of the ASA and surrounding communications links, as well as for testing other network devices.

Information About Ping

A ping is sent to an IP address and it returns a reply. This process enables network devices to discover, identify, and test each other.

The Ping tool uses ICMP (as described in RFC 777 and RFC 792) to define an echo request-and-reply transaction between two network devices. The
echo
request packet is sent to the IP address of a network device. The receiving device reverses the source and destination address and sends the packet back as the echo reply.

Administrators can use the ASDM Ping interactive diagnostic tool in these ways:

Loopback testing of two interfaces—A ping may be initiated from one interface to another on the same ASA, as an external loopback test to verify basic “up” status and operation of each interface.

Pinging to an ASA—The Ping tool can ping an interface on another ASA to verify that it is up and responding.

Pinging through an ASA—Ping packets originating from the Ping tool may pass through an intermediate ASA on their way to a device. The echo packets will also pass through two of its interfaces as they return. This procedure can be used to perform a basic test of the interfaces, operation, and response time of the intermediate unit.

Pinging to test questionable operation of a network device—A ping may be initiated from an ASA interface to a network device that is suspected of functioning incorrectly. If the interface is configured correctly and an echo is not received, there may be problems with the device.

Pinging to test intermediate communications—A ping may be initiated from an ASA interface to a network device that is known to be functioning correctly and returning echo requests. If the echo is received, the correct operation of any intermediate devices and physical connectivity is confirmed.

Pinging From an ASA Interface

For basic testing of an interface, you can initiate a ping from an ASA interface to a network device that you know is functioning correctly and returning replies through the intermediate communications path. For basic testing, make sure you do the following:

Verify receipt of the ping from the ASA interface by the “known good” device. If the ping is not received, a problem with the transmitting hardware or interface configuration may exist.

If the ASA interface is configured correctly and it does not receive an echo reply from the “known good” device, problems with the interface hardware receiving function may exist. If a different interface with “known good” receiving capability can receive an echo after pinging the same “known good” device, the hardware receiving problem of the first interface is confirmed.

Pinging to an ASA Interface

When you try to ping to
an ASA interface, verify that the pinging response (ICMP echo reply
)
is enabled for that interface by choosing
Tools > Ping
. When pinging is disabled, the ASA cannot be detected by other devices or software applications, and does not respond to the ASDM Ping tool.

Pinging Through the ASA Interface

To verify that other types of network traffic from “known good” sources are being passed through the ASA, choose
Monitoring > Interfaces > Interface Graphs
or an SNMP management station.

Troubleshooting the Ping Tool

When pings fail to receive an echo, it may be the result of a configuration or operational error in an ASA, and not necessarily because of no response from the IP address being pinged. Before using the Ping tool to ping from, to, or through an ASA interface, perform the following basic checks:

Note If a hostname has been assigned in the Configuration > Firewall > Objects > Service Objects/Groupspane, you can use the hostname in place of the IP address.

Step 3 (Optional) Choose the ASA interface that transmits the echo request packets from the drop-down list. If it is not specified, the ASA checks the routing table to find the destination address and uses the required interface.

Step 4 Click
Ping
to send an ICMP echo request packet from the specified or default interface to the specified IP address and start the response timer.

The response appears in the Ping Output area. Three attempts are made to ping the IP address, and results display the following fields:

The IP address of the device pinged or a device name, if available. The name of the device, if assigned, may be displayed, even if NO response is the result.

When the ping is transmitted, a millisecond timer starts with a specified maximum, or timeout value. This timer is useful for testing the relative response times of different routes or activity levels.

Step 5 To enter a new IP address, click
Clear Screen
to remove the previous response from the Ping output area.

Determining Packet Routing with Traceroute

The Traceroute tool helps you to determine the route that packets will take to their destination. The tool prints the result of each probe sent. Every line of output corresponds to a TTL value in increasing order. The following table lists the output symbols printed by this tool.

Output Symbol

Description

*

No response was received for the probe within the timeout period.

nn
msec

For each node, the round-trip time (in milliseconds) for the specified number of probes.

Step 2 Enter hostname or IP address to which the route is traced. If the hostname is given, define it by choosing
Configuration > Firewall > Objects > Service Objects/Groups
, or configure a DNS server to enable this tool to resolve the hostname to an IP address.

Step 3 Enter the amount of time in seconds to wait for a response before the connection times out. The default is three seconds.

Step 4 Type the destination port used by the UDP probe messages. The default is 33434.

Step 5 Enter the number of probes to be sent at each TTL level. The default is three.

Step 6 Specify the minimum and maximum TTL values for the first probes. The minimum default is one, but it can be set to a higher value to suppress the display of known hops. The maximum default is 30. The traceroute terminates when the packet reaches the destination or when the maximum value is reached.

Step 7 Check the Specify source interface or IP address check box. Choose the source interface or IP address for the packet trace from the drop-down list. This IP address must be the IP address of one of the interfaces. In transparent mode, it must be the management IP address of the ASA.

Step 8 Check the
Reverse Resolve
check box to have the output display the names of hops encountered if name resolution is configured. Leave this check box unchecked to have the output display IP addresses.

Step 9 Check the
Use ICMP
check box to specify the use of ICMP probe packets instead of UDP probe packets.

Step 10 Click
Trace Route
to start the traceroute.

The Traceroute Output area displays detailed messages about the traceroute results.

Step 11 Click
Clear Output
to start a new traceroute.

Tracing Packets with Packet Tracer

The packet tracer tool provides packet tracing for packet sniffing and network fault isolation, as well as detailed information about the packets and how they are processed by the ASA. If a configuration command did not cause the packet to drop, the packet tracer tool can provide information about the cause in an easily readable format.

In addition, you can trace the lifespan of a packet through the ASA to see whether the packet is operating correctly with the packet tracer tool. This tool enables you to do the following:

Debug all packet drops in a production network.

Verify the configuration is working as intended.

Show all rules applicable to a packet, along with the CLI commands that caused the rule addition.

Show a time line of packet changes in a data path.

Inject tracer packets into the data path.

Search for an IPv4 or IPv6 address based on the user identity and the FQDN.

Step 2 Choose the source interface for the packet trace from the drop-down list.

Step 3 Specify the protocol type for the packet trace. Available protocol types include ICMP, IP, TCP, and UDP.

Step 4 In the Source drop-down list, select one of the following options:

IP Address

User

FQDN

Security Tag

Security Name

Select the Security Tag or Security Name options when you want to trace packets sent by the ASA when integrated with the Cisco TrustSec solution. Security names are created on the Cisco ISE and provide user-friendly names for security groups.

If a security policy is configured on the ASA with that security tags or security names, the ASA enforces the policy. (You can create security policies on the ASA that contain security tags or security names. To enforce policies based on security group names, the ASA needs the security group table to map security names to security tags.)

Step 5 Based on the option you selected from the Source drop-down list, enter the corresponding text for the item you want to trace; for example, enter the source IP address for the packet trace in the Source IP Address field.

Step 6 For TCP and UDP only, choose the source port for the packet trace from the drop-down list.

Step 7 In the Destination drop-down list, select one of the following options:

IP Address

FQDN

Security Tag

Security Name

Step 8 Based on the option you selected from the Destination drop-down list, enter the corresponding text for the item you want to trace; for example, enter the source IP address for the packet trace in the Destination IP Address field.

Step 9 For TCP and UDP only, choose the destination port for the packet trace from the drop-down list.

Step 10 For ICMP only, choose the type of packet trace from the Type drop-down list. Then enter the trace code and trace ID in the appropriate fields.

Step 11 For IP only, enter the protocol number in the Protocol field. Valid values range from 0 to 255.

Step 12 Click
Start
to trace the packet.

The Information Display Area shows detailed messages about the results of the packet trace.

Note To display a graphical representation of the packet trace, check the Show animation check box.

Step 13 Click
Clear
to start a new packet trace.

Monitoring Performance

To view ASA performance information in a graphical or tabular format, perform the following steps:

Step 2 Select one or more entries from the Available Graphs list, then click
Add
to move them to the Selected Graphs list. To remove an entry from the Selected Graphs list, click
Remove
. The available options are the following:

You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time.

Step 3 To use an existing window title, select one from the drop-down list. To display graphs in a new window, enter a new window title in the Graph Window Title field.

Step 4 Click
Show Graphs
to view performance statistics in a new or updated graph window.

Step 5 Click the
Table
tab to view the same performance statistics in a tabular format.

Step 6 From the View drop-down list on either tab, choose to display updates to information in the following time periods: Real-time, data every 10 sec; Last 10 minutes, data every 10 sec; Last 60 minutes, data every 1 min; Last 12 hours, data every 12 minutes; or Last 5 days, data every two hours.

Blocks

Step 2 Select one or more entries from the Available Graphs list, then click
Add
to move them to the Selected Graphs list. To remove an entry from the Selected Graphs list, click
Remove
. The available options are the following:

Blocks Used—Displays the ASA used memory blocks.

Blocks Free—Displays the ASA free memory blocks.

You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time.

Step 3 To use an existing window title, select one from the drop-down list. To display graphs in a new window, enter a new window title in the Graph Window Title field.

Step 4 Click
Show Graphs
to view system resource statistics in a new or updated graph window.

Step 5 Click the
Table
tab to view the same performance statistics in a tabular format.

Step 6 From the View drop-down list on either tab, choose to display updates to information in the following time periods: Real-time, data every 10 sec; Last 10 minutes, data every 10 sec; Last 60 minutes, data every 1 min; Last 12 hours, data every 12 minutes; or Last 5 days, data every two hours.

CPU

Step 2 Select one or more entries from the Available Graphs list, then click
Add
to move them to the Selected Graphs list. To remove an entry from the Selected Graphs list, click
Remove
.

You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time.

Step 3 To use an existing window title, select one from the drop-down list. To display graphs in a new window, enter a new window title in the Graph Window Title field.

Step 4 Click
Show Graphs
to view system resource statistics in a new or updated graph window.

Step 5 Click the
Table
tab to view the same performance statistics in a tabular format.

Step 6 From the View drop-down list on either tab, choose to display updates to information in the following time periods: Real-time, data every 10 sec; Last 10 minutes, data every 10 sec; Last 60 minutes, data every 1 min; Last 12 hours, data every 12 minutes; or Last 5 days, data every two hours.

Memory

Step 2 Select one or more entries from the Available Graphs list, then click
Add
to move them to the Selected Graphs list. To remove an entry from the Selected Graphs list, click
Remove
. The available options are the following:

Free Memory—Displays the ASA free memory.

Used Memory—Displays the ASA used memory.

You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time.

Step 3 To use an existing window title, select one from the drop-down list. To display graphs in a new window, enter a new window title in the Graph Window Title field.

Step 4 Click
Show Graphs
to view system resource statistics in a new or updated graph window.

Step 5 Click the
Table
tab to view the same performance statistics in a tabular format.

Step 6 From the View drop-down list on either tab, choose to display updates to information in the following time periods: Real-time, data every 10 sec; Last 10 minutes, data every 10 sec; Last 60 minutes, data every 1 min; Last 12 hours, data every 12 minutes; or Last 5 days, data every two hours.

Monitoring Connections

To view current connections in a tabular format, in the ASDM main window, choose
Monitoring > Properties > Connections
. Each connection is identified by the following parameters:

Protocol

Source:

– Security ID

– Security Name

– IP address

– Port

Destination:

– Security ID

– Security Name

– IP address

– Port

Idle time since the last packet was sent or received

Amount of sent and received traffic on the connection

Monitoring Per-Process CPU Usage

You can monitor the processes that run on the CPU. You can obtain information about the percentage of CPU that is used by a certain process. CPU usage statistics are sorted in descending order to display the highest consumer at the top. Also included is information about the load on the CPU per process, at 5 seconds, 1 minute, and 5 minutes before the log time. This information is updated automatically every 5 seconds to provide real-time statistics. In ASDM, it is updated every 30 seconds.

To view CPU usage on a per-process basis, perform the following steps: